Coca Cola’s Chief Privacy Officer on the Challenges and Importance of Working with Business on Security and Privacy

Katherine Fithen, Chief Privacy Officer for The Coca Cola Company, discussed how to talk to business about privacy and security as a competitive advantage.

In the first keynote presentation of the day at the 2017 Chief Information Security Office Leadership Forum held in Atlanta on April 5, Fithen announced she’d be talking about the challenges of security and privacy in general but specifically about challenges relating to privacy and security in business partnerships. “What are the questions we need to ask and what are the answers we need to have prepared for our businesses and our leaders?”

Fithen talked about a few of the headline security breaches of the past few years: T.J. Maxx, Target, Anthem. “Today, the T.J. Maxx breach seems like a historical blip but, when it happened, it was a huge deal because everybody was surprised.” T.J. Maxx was compliant with the PCI requirements and certified, so how was this breach possible?

“Today, the T.J. Maxx breach seems like a historical blip but, when it happened, it was a huge deal because everybody was surprised.”

Of course, no company wants to be in the media because of a breach. “What do we want to tell our leadership about security? We need to let them know that privacy and security can be a competitive advantage. Gaining the trust of our consumers and our partners is a competitive advantage, and we need to use it that way. However, there’s no 100% security. Compliance doesn’t mean security, and we need to help our compliance organizations understand this and work together with them to make sure we come up with the right approach.”

Fithen continued, “Know what’s important when a breach happens. You have to think about this ahead of time. Breaches are going to happen, so be prepared for them. Make sure you can detect a breach early, and know who makes up your breach response team. This depends on the data. Also, identify a spokesperson, internally and externally. Determine what kind of data was possibly breached—intellectual property, personal information, financial information—and determine how long the data was exposed or compromised, and how widely. Be familiar with your notification requirements, particularly in the privacy area, for reporting to users, data protection authorities, and government agencies. We need to be sure we’re providing accurate information in these notifications,” advised Fithen.

“Today, more countries have some kind of security or privacy law or regulation in place than don’t. We crossed that line a couple of years ago. The real message to my leadership is that these laws change very fast, and they’re changing almost constantly. It’s tough on our business to deal with, and it’s tough on our IT organizations to make sure the technology we implement meets these requirements.”

“Today, more countries have some kind of security or privacy law or regulation in place than don’t. We crossed that line a couple of years ago.”

“Security is often an IT function, and IT is often challenged by understanding the laws,” she said. “One of the biggest challenges we face in IT is we expect the laws to be logical. That’s just silly. It doesn’t work that way. Then there’s the business owner. The business owner (and marketing people and, more recently, HR) wants to know everything they can so the company can provide tailored user experiences for its consumers or employees. We need to make sure we’re protecting that data and using it the way we told people we were going to.” Getting these three groups—legal, IT, and business—to align and work together is critical, Fithen emphasized.

“Security is often an IT function, and IT is often challenged by understanding the laws. One of the biggest challenges we face in IT is we expect the laws to be logical. That’s just silly. It doesn’t work that way.”

Fithen outlined five questions for determining the who, what, where, when, and how of privacy and security:
1. Who needs to be part of the privacy and security decisions? “The business owner of the data, legal, IT, IT security, privacy,” said Fithen.
2. What data will be collected and processed, and why?
3. Where’s the data from, where will be it stored/accessed, and by whom?
4. When—how long will the data be retained?
5. How will we protect the data? "We use ACLs, encryption (who owns/manages the encryption key?), SoD, MFA, network segmentation, and vendor management.”

ABOUT KATHERINE FITHEN:

Katherine Fithen has been a leader in information security for more than 20 years. She's currently the Chief Privacy Officer and Director of Governance & Compliance at The Coca-Cola Company. Prior to joining The Coca-Cola Company in 2002, Katherine was the Senior Manager of the CSIRT Program at PricewaterhouseCoopers, LLP, and, prior to PWC, the Manager of the CERT®. Katherine has earned a Bachelor of Arts in Retail Management, a Master of Arts in Personnel Management, and a Master of Science in Information Science.

Katherine is on several advisory boards for privacy and security. In August 2015, Katherine was listed as one of “Women in IT Security: 10 Power Players.”

Key Takeaways

Gaining the trust of your consumers and partners is a competitive advantage, and the business needs to use it that way. However, there’s no 100% security. Compliance doesn’t mean security.

Know what’s important when a breach happens. You have to think about this ahead of time. Breaches are going to happen, so be prepared for them. Make sure you can detect a breach early, and know who makes up your breach response team.

Be familiar with your notification requirements, particularly in the privacy area, for reporting to users, data protection authorities, and government agencies.